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SYSTEM AND METHOD FOR CONFIDENCE 
BASED INCREMENTAL ACCESS AUTHENTICATION 



BACKGROUND 

1. Technical Field; 

The present invention relates generally to a system and 
method for providing user authentication and, in particular, 
to a system and method for providing confidence-based 
authentication in an incremental access authentication 
system, wherein a confidence score is periodically computed 
during a dialog session between user and machine to check 
the confidence level in the validity of an original identity 
claim. 

2 . Description of Related Art 

The computing world is evolving towards an era where 
billions of interconnected pervasive clients will 
communicate with each other and with powerful information 
servers. Indeed, this millennium will be characterized by 
the availability of multiple information devices that make 
ubiquitous information access an accepted fact of life. Due 
to the increase in human-machine interaction that will 
result from the pervasive use of such information devices, 
users will demand that such interaction be natural and 
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simple as if they were having a conversation with another 
individual . 

One factor in making the human-machine interaction more 
natural and effective is the ability of the machine to 
5 accurately and efficiently verify an identity claim of the 
user based on speech interactions. Conventional techniques 
well known to those skilled in the art for authenticating an 
individual based on his/her speech properties are typically 
based on a numerical score, derived from comparing a given 

10 test speech sample to previously constructed speaker models. 

The authentication framework of such conventional techniques 
are based on a binary hypothesis test, where the result of 
an authentication is a yes/no answer. 

By way of example, assume s n denotes a discrete time 

15 speech sample sequence provided by a system user seeking 

access to a conversational system. This speech data, along 
with the user's speaker model Af* (which is selected based on 
an identity claim i provided by the user) , is processed to 
verify the identity claim. The identity claim itself must 

20 belong to an authorized user. More specifically, a score 
for speaker / may be computed using a real (R) valued 
function p taking as input s nr M it and possibly computed with 
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respect to the background model (s) (as is understood by 
those skilled in the art) as follows: 

p(s n ,M,)GR. (1) 

A verification (authentication) process is then performed 
via a hypothesis test. For example, given an identity claim 
/ in the above example, the competing hypotheses are: 

HO: The speech sample s n was produced by speaker L 

HI : The speech sample s„ was produced by a speaker other than z. 

Next, by computing the distribution of scores under the 
conditions of each hypothesis, the resulting (distribution) 
functions can be used to determine a decision criterion and 
predicted error rates. For example, a decision criterion 
may involve selecting a threshold t in the space of scores 
and then making the following determination: 

If p(s n >Mi) > t then accept HO, else accept HI . 

In addition, the predicted error rates may be 
determined as follows. Assuming d($H0) and d(jc\Hl) are the 
probability densities associated with each of the 
hypotheses, given a threshold the probability of false 
rejection is: 

f d(p\H0) 

J -°° (2) 
and the probability of false acceptance is: 
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J '+00 , 
, d(p\Hl). 

' (3) 
Authentication techniques that implement the above 
binary hypothesis test are useful in applications where 
human-machine interaction is typically short (e.g., a 
5 request for specific information such as a bank balance, 

simple action commands such as starting a voice activated 
car, etc.) because the authentication process is typically 
performed once at the beginning of the short dialog session. 
Indeed, with simple action commands, no further conversation 

10 is required. In addition, because of the minimal 

conversational dialog in theses instances, the system state 
(or context) does not need to be collected and maintained 
over the course of an extended interaction. 

On the other hand, more sophisticated dialogs, which 

15 are typically long in duration, are characterized by the 

need to store and manage the context and perform actions 
based on this context. Systems that afford sophisticated 
conversational dialog should also afford continual and 
unobtrusive authentication. By way of example, if the 

20 system is being used by a speaker who was initially 

authenticated, and then suddenly the speaker changes, the 
system should prevent the new speaker from being able to 
access the same privileges as the prior speaker. This is 
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particularly important in complex conversational systems 
that afford access to data with a wide range of security 
classifications. Indeed, the user's identity should be 
maintained as part of the system state (context) , whereby a 
5 change in identity of the speaker is a state change that is 

detected. 

Accordingly, a new authentication process is needed for 
implementation with a conversational system having 
sophisticated dialogs so as to provide continuous and 
10 unobtrusive authentication of the user during the course of 
the user interaction with the conversational system. 



SUMMARY OF THE INVENTION 

The present invention is directed to a system and 
method for providing continuous confidence-based 

15 authentication. The present invention may be implemented in 
an incremental access authentication system for controlling 
access to secured data having various levels of security. 
During the course of a conversational session between user 
and machine, a conversational system comprising a 

20 confidence-based authentication system according to the 

present invention will periodically analyze the input speech 
of a user interacting with the system to compute a 
"confidence measure" for the validity of an original 
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identity claim (denoted by i) provided by the user at the 
commencement of the dialog session. Advantageously, a 
"confidence measure" computation process according to the 
present invention is seamlessly integrated into the 
conversational architecture so that the conversational 
system tailors the interaction to its confidence in the 
original identity claim. 

In one aspect of the present invention, a method for 
authenticating a user in a conversational system comprises 
the steps of: receiving an identity claim from a user; 
computing a confidence score based on the identity claim 
using speech input from the user, wherein the confidence 
score is a measure of confidence in the validity of the 
identity claim; and providing the user access to secured 
data based on the computed confidence score. Preferably, 
the confidence score is based on a linear function of 
statistical models that characterize the score under a 
plurality of conditions. 

In another aspect of the present invention, the 
confidence score is maintained as part of the system state 
(context) along with the original identity claim. 

In yet another aspect, the data/resources of one or 
more secure databases is partitioned into a plurality 

of data classes. Each of the data classes is assigned a 
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security level (based on the intended application) . The 
security levels are sorted in increasing order and an access 
map is constructed using the sorted security levels. During 
a conversational session between user and machine, the 
computed confidence score will be used to determine the 
access map and, in turn, the level of data that the user may 
be allowed to access. 

In another aspect of the invention, a range of relevant 
confidence scores is partitioned into a plurality of 
regions. Each region comprising the range of confidence 
scores is assigned to one of the predetermined security 
levels. When a confidence score is computed, the region 
containing the computed confidence score is determined and 
the corresponding security level is identified. This 
security level is then used to determine the access map. 

In yet another aspect, the confidence score is 
periodically re-computed upon the occurrence of a 
predetermined event (e.g., user query). This process allows 
the conversational system to periodically check the 
confidence level of the original identity claim, so as to 
detect possible speaker changes, and/or modify the level of 
secured access provided to the user. 

These and other aspects, features and advantages of the 
present invention will be described and become apparent from 

YOR9-2000-0093USI (8728-357) - 7 - 



the following detailed description of preferred embodiments, 
which is to be read in connection with the accompanying 
drawings . 



BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram of a conversational system 
according to an embodiment of the present invention; 

Fig. 2 is a flow diagram of a method for providing user 
authentication according to one aspect of the present 
invention; 

Fig. 3 is a diagram illustrating a line segment 
partition process and corresponding access map according to 
an exemplary embodiment of the present invention; 

Fig. 4 is a flow diagram of a method for computing a 
confidence measure according to one aspect of the present 
invention; 

Fig. 5 is an exemplary graphical diagram of probability 
densities of target and impostor scores for a multi -modal 
implementation; and 

Fig. 6 is an exemplary graphical diagram of the 
confidence measure based on the probability densities 
depicted in Fig. 5. 

YOR9-2000-0093USI (8728-357) - 8 - 



DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

It is to be understood that the exemplary system 
modules and method steps described herein may be implemented 
in various forms of hardware, software, firmware, special 
5 purpose processors, or a combination thereof. Preferably, 
the present invention is implemented in software as an 
application program tangibly embodied on one or more program 
storage devices. The application program may be executed by 
any machine, device or platform comprising suitable 

10 architecture. It is to be further understood that, because 

some of the constituent system modules and method steps 
depicted in the accompanying Figures are preferably 
implemented in software, the actual connections between the 
system components (or the process steps) may differ 

15 depending upon the manner in which the present invention is 

programmed. Given the teachings herein, one of ordinary 
skill in the related art will be able to contemplate these 
and similar implementations or configurations of the present 
invention. 

20 Referring now to Fig. 1, a block diagram depicts a 

conversational system 10 employing a confidence-based 
authentication system and method according to an embodiment 
of the present invention for providing incremental access to 
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data having varying degrees of security classifications. In 
general, during the course of a conversational session 
between user and machine, the conversational system 10 
periodically analyzes the input speech (denoted s n ) of a user 
interacting with the system 10 to compute a "confidence 
measure" in the validity of an original identity claim 
(denoted /) provided by the user at the commencement of the 
dialog session. Advantageously, a "confidence measure" 
computation process according to the present invention 
(described in detail below) is seamlessly integrated into 
the conversational architecture so that the conversational 
system 10 tailors the interaction to its confidence in the 
original identity claim. 

The conversational system 10 according to a preferred 
embodiment comprises an audio I/O (input /output) module 11. 
The audio I/O module 11 comprises an acoustic front end for 
capturing input speech, as well as processing the input 
speech to extract the relevant features using any suitable 
feature extraction technique known to those skilled in the 
art. In addition, the audio I/O module 11 may comprise an 
audio playback system for outputting, e.g., audio files and 
synthesized speech. The conversational system 10 comprises 
one or more conversational engines 12 for processing the 
input speech and generating audio output. The 
YOR9-2000-0093USI (8728-357) - 10 - 



conversational engines 12 may include, for instance, a 
speech recognition engine, a speaker recognition engine, a 
TTS (text-to-speech) engine, a NLU (natural language 
understanding) engine, a NLG (natural language generation) 
5 engine, a speech compression/decompression engine, as well 

as other conversational engines that may be needed for the 
given application. The conversational engines 12 utilize 
conversational data files 13 for executing their respective 
functions (e.g., speech models, speaker models, 

10 vocabularies, grammars, language models, parsing and 

translation/tagging models, synthesis rules, baseforms 
(pronunciation rules), symbolic languages, etc.). 

The conversational system 10 further comprises a dialog 
manager 14 which, in general, controls the conversational 

15 interaction (I/O processing) with the user during a 

conversational session. More specifically, the dialog 
manager 14 performs functions such as maintaining, in 
context store 15, the conversational state or context 
associated with the given application during a 

20 conversational session, as well as allocating conversational 

engines 12 for specific conversational tasks (e.g., speech 
recognition of input speech, synthesized speech output via 
the TTS engine, etc.) . A command processor* 19, which 
operates under the control of the dialog manager 14, 

YOR9-2000-0093USI (8728-357) - 11 - 



receives and processes transcribed speech data that is 
output from, e.g., the speech recognition engine, to execute 
any allowable speech commands that the command processor 19 
recognizes in the transcribed speech. It is to be 
5 understood that the allowable commands vary based on the 
given application. 

In addition, the dialog manager 14 controls a user 
authentication process according to the present invention to 
provide incremental access to resources/data stored in a 

10 secure database 16 (or a plurality of databases) . More 

specifically, the content of database 16 is partitioned into 
a plurality of classes, with each class being assigned a 
security level 17. It is to be understood that the 
selection of the security levels 17 and the partitioning of 

15 the content of database 16 is determined a priori by the 

system developer. Assuming that there areiV s levels of 
security, the data is partitioned into N s classes. 

By way of example, assume the conversational system 10 
comprises an e-mail client, wherein the secure database 16 

20 in this instance is a set of e-mails. Each piece of mail 

can be assigned a level of security based on characteristics 
such as confidentiality level, recipient list, subject 
matter etc. In particular, one method of assigning security 
levels is to consider the "To:", "Subject:", and u cc:" 
YOR9-2000-0093USI (8728-357) - 12 - 



fields of a typical e-mail header. For example, if 
addressees representing large groups (e.g., Speech-Group, 
All, etc.) appear in the "To:" and "cc:" fields, then the 
e-mail can be assigned a low level of security. If, on the 
other hand, the "Subject:" field indicates that the e-mail 
is confidential or private, then a high security level may 
be assigned. Moreover, assume a list of individual 
addresses is given in the u To:" and "cc:" fields. Then the 
system only needs to verify that the user is one of the 
addressees. (i.e. it needs to have a high enough confidence 
that the user is one of the addressees.) For any given 
database, the process of assigning security levels is an 
integral part of the development of an incremental access 
authentication system. 

In accordance with the present invention, an access map 
for accessing the data in database 16 is generated by 
assigning to each of these data classes N s (or security 
levels) a range of confidence measures. A method for 
generating an access map according to one aspect of the 
present invention is described in detail below with 
reference to Fig. 3. When a user initiates a dialog with 
the conversational system 10, the user will provide an 
identity claim/ which is deemed part of the context that is 
stored in context store 15. At the request of the dialog 
YOR9-2000-0093USI (8728-357) - 13 - 



manager 14, a confidence score computation module 18 will 
compute a confidence score C, which represents the level of 
confidence of the system that the user is who he/she claims 
to be. A preferred process for computing the confidence 
5 score C is described in detail below and with reference to 
Fig. 4. 

The confidence score C is then compared with the 
access map to determine the level of secured data (e.g., e- 
mails) that may be accessed by the user from the database 

10 16. The dialog manager 14 prevents user access to any data 

in database 16 that is not made available by the current 
access map. The confidence score C and/or corresponding 
access map are deemed part of the context that is maintained 
in context store 15. As the dialog continues, the speech 

15 data is collected and analyzed to periodically compute a new 
confidence score C based on the original identity claim i. 
More specifically, the dialog manager 14 will signal the 
confidence score computation module 18 to compute a 
confidence score C so that the new confidence level can be 

20 checked against the validity of the original identity claim. 
In this manner, the conversational system 10 can 
periodically update its confidence level in the original 
identity claim and detect speaker changes, if any, so as to 
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control the level of access to data in database 16 
accordingly. After each such analysis, the context is 
updated to reflect the new confidence score. Over the 
course of a dialog session, a sequence of access 
5 maps/confidence scores are stored in the context store 15. 
In this manner, the authentication process is incremental 
and unobtrusive. 

A preferred confidence measure according to an 
r% embodiment of the present invention will now be described. 

|j| 10 It is to be understood that a preferred confidence measure 

Ql is an extension of the conventional binary hypothesis 

W verification approach (equation (1) and hypothesis HO, HI) 

!L discussed above. It is to be appreciated the confidence 

measure described herein can effectively handle multi-modal 
?! 15 distributions, unlike the traditional verification approach. 

Moreover, the confidence measure does not represent an 
answer to the binary hypothesis test - instead, it is a 
continuous measure of confidence in the validity of the 
authentication claim. A preferred confidence score is based 
20 on a linear function of statistical models that characterize 
the score under a plurality of conditions. More 
specifically, a preferred confidence measure is defined as 
follows : 

A binary random variable X is defined as follows: 
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H SB 

ass ; 



r<i{p\m) 

P(X= i)= * 



(4) 



and 



f+00 | 

P(X = 0) = 1 



^ d(pHQ)+\ t d(p\H\) 



(5) 



As is understood by those skilled in the art, equation 
5 (4) is a ratio that represents the "likelihood" that a score 

above the threshold t indicates the validity of the 
hypothesis HO and equation (5) is a ratio that represents 
the "likelihood" that a score above the threshold / 
indicates the validity of hypothesis HI. 
10 In one embodiment of the present invention, the access 

rights decision is based on a confidence measure 
C = P(X = 1) 

v ' . More specifically, when given test data, the 
corresponding p is preferably computed as given by the above 
equation (1) . The computed value p is then set as the lower 
15 limit t on the above integrals in equations (4) and (5) . 

In another embodiment of the present invention, in the 
case of multi -modal distributions where a reject class or 
accept class or both may comprise multiple distributions 
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(such as illustrated in Fig. 5), an additional binary 
variable Y is used for computing the confidence score, which 
is defined as follows: 



P(Y=1) = 



d(p\H0) 



d(p\H0)+d(p\Hl) 



(6) 



and 



P(Y - 0) = 



d(p\m) 



d(p\m)+d(p\m) 



(7) 



where p is the value given by equation (1) . As understood 
by those skilled in the art, equation (6) is a ratio that 
represents the "likelihood" that a particular score 
indicates the validity of hypothesis HO, and equation (7) is 
a ratio that represents the "likelihood" that a particular 
score indicates the validity of hypothesis HI. Furthermore, 
by defining a mixing factor A,, preferably where 0<A,<1, the 
confidence measure C may be computed as follows: 



where C^[0,1] (as discussed below) . A preferred process for 
computing the confidence measure is discussed in more detail 
below with reference to Fig. 4. 

It is to be appreciated that the conversational system 
10 may be implemented with any conversational application, 
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device, machine or platform for controlling access to 
secured data and resources. By way of example, the 
conversational system 10 may be implemented in an IVR 
(interactive voice response) system which executes on a 
5 remote server and which is accessible by a wireless or 

conventional telephone. In addition, the conversational 
system 10 may be implemented in a content server on a 
computer network (e.g., the Internet, an intranet, an 
extranet, a LAN (local area network) for providing 

10 conversational access to secured data or services. The 

content server may be accessible via a client device (e.g., 
a personal computer or a PDA (personal digital assistant) ) 
using any suitable communication protocols known to those 
skilled in the art for transmitting voice data and otherwise 

15 providing appropriate client /server communication. 

Furthermore, the conversational system may be distributed 
among the client and one or more servers. Those skilled in 
the art may readily envision other implementations for a 
conversational system employing a confidence-based 

20 authentication such as the exemplary embodiment described 
herein. 

Referring now to Fig. 2, a flow diagram illustrates a 
method for providing confidence-based incremental access 
authentication according to one aspect of the present 
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invention. Initially, one or more system users are enrolled 
in the system (step 200) using any suitable technique known 
to those skilled in the art. An enrollment process involves 
collecting and processing speech samples provided by a given 
5 system user to build one or more speaker models (or voice 
prints) for the user. Let Mi denote the speaker model (or 
set of speaker models) of the t h enrolled user. These 
speaker models enable the system to subsequently 
authenticate the identity of an enrolled speaker (or target 

10 speaker) using confidence measures as described herein. 

Although any suitable technique may be used for building the 
speaker models, in a preferred embodiment, each speaker 
model represents a speaker dependent probability density on 
the space of speech feature vectors, which enables the use 

15 of likelihood based scoring for computing a confidence 

measure in accordance with the present invention. Moreover, 
depending on the verification technique employed, the system 
may generate and store a plurality of general models (or 
background models) that are used to represent the global 

20 population. Scores may then be computed with respect to 
this global model, as its purpose is to serve as a 
normalization (as is understood by those skilled in the 
art) . 
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A next step in building an incremental access system 
involves partitioning all the content in the accessible 
databases into a plurality of classes based on the security 
level (step 2 01) . As noted above, the system developer will 
5 select these security levels and partition the data as 
desired. Again, assuming that there areJV, levels of 
security, all the data should be partitioned into N s 
classes . 

The next step involves generating an access map (step 
10 2 02) . In one embodiment, the data classes are sorted in the 

order of increasing security level. Each class is assigned 
the numerical value of its order in the sorting. An access 
map is then created which takes as input a number (the 
security or confidence level), 1,...,7V S , and returns the set 
15 of data available at that level. In one embodiment, the 

data available at level L also includes the data 
corresponding to all classes having security levels below 
level L (i.e., based on the sorting, 1, L) , although 

other access configurations may be employed. 
20 Next, the system developer will determine the range of 

confidence scores that are assigned to each security level 
(step 203). The diagram of Fig. 3 illustrates a preferred 
process for performing this step. In Fig. 3, a line segment 

YOR9-2000-0093USI (8728-357) - 20 - 



[0, 1] represents a spectrum of confidence measures C ranging 
in value from 0 to 1. This line segment is partitioned into 
N s non- overlapping regions (denoted, e.g. ,7^ ... L s ) . Each 
region (or partition) indicates the security level for the 
data available to the user based on the computed confidence 
score C. In other words, the region of line segment [0,1] in 
which a computed confidence score C falls into will 
determine an access map, as defined above. 

By way of example as shown in Fig. 3, if a computed 
confidence score C falls within the L 3 region, preferably, 
the user will be able to access the data assigned in 
security levels L 2 through L 3 . It is to be understood that 
Fig. 3 depicts a preferred method in which the confidence 
measure C ranges in value from 0 to 1, although other ranges 
of values may be used. 

It is to be further understood that steps 200-203 
discussed above are initial steps that are performed by the 
system developer for constructing an incremental access 
authentication system according to the present invention. 
It is to be appreciated, however, that such steps may be 
performed at any time after the system is deployed. For 
instance, new users may be subsequently enrolled at any time 
after the system is deployed. In addition, as the system 
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usage is analyzed over time, the access maps and segment 
partitions can be updated to improve system performance. 
Indeed, the parameters may be modified at any time to make 
the system more or less restrictive. 
5 During operation of the system, a user seeking access 

(e.g., requesting e-mails) will input an identity claim to 
the system (step 2 04) . An identity claim may be provided in 
one of various manners, e.g., by entering a password, 
swiping a card through a card reader, speaking/entering the 
f t l 10 user's name/user ID, etc. Once the system receives an 
~i identity claim (affirmative result in step 2 04) , the system 

fi| will compute an initial confidence score C to determine the 

s confidence level in the identity claim (step 205) . 

jfj A preferred method for computing the confidence score 

%l 15 in accordance with the present invention will now be 

described with reference to Fig. 4. Initially, the speaker 
model Mi corresponding to the identity claim i will be 
identified (step 400) . As the user continues to interact 
with the system, speech data is collected. Once enough 
20 speech data has been collected, a score p for the speaker 

will be computed using, e.g., equation (1) above: rt ' 1 
(step 401) . Next, for single mode implementation, the value 



YOR9-2 000-0093USI (8728-357) 



- 22 - 



+00 



\d{p\H0) 



is 



computed (step 402) and the value 




is 



t 



computed (step 403), where the value* for both 
computations is set to the score p (as computed in step 
401) . The values of the integrals computed in steps 402 and 
403 represent the probability that a score p is above the 
threshold t under hypothesis HO and HI, respectively. These 
values are then used (in step 4 06) to compute P(X=1) using 
the above equation (4) . 

Furthermore, for mult i -modal implementations, the value 
d(p HI) is computed (step 404) and the value d(p\ HO) is 
computed (step 405) , and these values are used (in step 407) 
to compute P(Y=1) using the above equation (6) . The values 
computed in steps 404 and 4 05 represent the' likelihood of 
the score p given hypothesis HI and HO, respectively. Once 
P(X=1) and P(Y=1) (if used) are computed, the confidence 
score C is computed (step 408) using the above equation (8). 

Referring back to Fig. 2, once the initial confidence 
score C is computed, a determination may be made as to 
whether the confidence score C exceeds some predetermined 
threshold (step 206) . This step may be performed to 
determine if there is sufficient confidence in the first 
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instance (or at a subsequent time) that the speaker is who 
he/she claims to be based on the identity claim. The 
threshold value may be any desired value, e.g., 0. If the 
confidence score does not exceed the predetermined threshold 

5 (negative determination in step 206) , the system will prompt 

the speaker for additional information or speech input so as 
to clarify the user's claimed identity (step 207). The user 
can then provide the requested information, and a confidence 
score will be computed (step 205) . 

10 On the other hand, if the confidence score C exceeds 

the predetermined threshold (affirmative result in step 
2 06) , based on the computed confidence score C, the system 
will utilize the access map (as explained above with 
reference to Fig. 3) to determine the data (e.g., e-mails) 

15 that the user will be able to access from the secured 

database (step 208) . The system state or context is then 
updated by storing the current confidence measure and/or 
access map along with the claimed identity / in the context 
store (step 209) . 

20 As the dialog session continues (step 210), the user's 

speech is continuously analyzed, and the system will re- 
compute a confidence score C at the occurrence of a 
triggering event (step 211) . The triggering event may be 
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any predetermined event (e.g., receiving a user query, the 
expiration of a predetermined (periodic) time period, etc.) 
based on the given application. When the triggering event 
is detected (step 211) , the system will re-compute the 
5 confidence score (return to step 205) to check the 

confidence level in the validity of the original identity 
claim. For instance, if the new confidence score C falls 
below the predetermined threshold (step 2 06) , the system may 
conclude that the speaker is not the system user associated 

10 with the original identity claim. In this instance, the 
system can prompt the speaker to provide a new identity 
claim, whereby the authentication process described above is 
repeated to provide the new speaker access to data 
appropriately. After each such analysis, the context is 

15 updated to reflect the new confidence score/access map. In 

this manner, the present invention provides an 
authentication process that is incremental and unobtrusive. 

Figure 5 is an exemplary graphical diagram of 
probability densities of target and impostor scores for a 

20 multi -modal implementation. More specifically, Fig. 5 
illustrates probability densities as a function of p 
(equation 1) , in which two probability density functions 
(solid lines) are plotted for a target score and one 
probability density function (dotted line) is plotted for an 
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impostor score. Fig. 6 is an exemplary graphical diagram of 
the confidence measure based on the probability densities 
depicted in Fig. 5 (i.e., the confidence measure (equation 
(8)) is plotted for the densities of Fig. 5) It is to be 
5 appreciated that the function depicted in Fig. 6 can be used 
as a guide to determine the practical or natural partitions 
of the line segment [0,1] (Fig. 3). For instance, the slope 
of the curve may be used to set breakpoints, as this is an 
indication of how fast the confidence measure changes as a 

10 function of the score. As indicated above, based on usage 
observations over time, the access maps and line segment 
partitions may be updated to improve performance. At any 
time, the parameters can be altered to make 4 the system more 
or less restrictive. 

15 Although illustrative embodiments of the present 

invention have been described herein with reference to the 
accompanying drawings, it is to be understobd that the 
present invention is not limited to those precise 
embodiments, and that various other changes and 

20 modifications may be affected therein by one skilled in the 
art without departing from the scope or spirit of the 
invention. All such changes and modifications are intended 
to be included within the scope of the invention as defined 
by the appended claims. 
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WHAT IS CLAIMED IS; 

1. A method for authenticating a user' in a 
conversational system, comprising the steps of: 

receiving an identity claim from a user; 

computing a confidence score based on the identity 
claim using speech input from the user, wherein the 
confidence score is a measure of confidence in the validity 
of the identity claim; 

providing the user access to secured data based on the 
computed confidence score. 

2. The method of claim 1, further comprising the step 
of maintaining the confidence score as part of the system 
state. 

3. The method of claim 1, further comprising the steps 

of: 

partitioning the secured data into a plurality of data 
classes ; 

assigning a security level to each of the data classes; 

and 

constructing an access map based on the security levels 
for accessing the secured data. 
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4. The method of claim 3, further comprising the steps 

of: 

selecting a range of confidence scores; 
partitioning the range of confidence scores into a 
plurality of regions; and 

assigning each region to one of the security levels. 

5. The method of claim 4, wherein the step of 
providing the user access to secured data based on the 
computed confidence score comprises the steps of: 

determining a given region of the plurality of regions 
which comprises the computed confidence score; 

determining the security level assigned to the given 
region; and 

accessing secured data using the access map based on 
the security level assigned to the given region. 

6. The method of claim 5, wherein the step of 
accessing secured data using the access map comprises the 
step of allowing access to secured data that is assigned to 
the security level of the given region and secured data 
assigned to at least one security level that is lower than 
the security level of the given region. 
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7. The method of claim 1, further comprising the step 
of re-computing the confidence score upon an occurrence of a 
predetermined event. 

8. The method of claim 7, wherein the predetermined 
event is a user query for accessing secured data. 

9. The method of claim 1, wherein the confidence score 
is based on a linear function of statistical models that 
characterize the score under a plurality of conditions. 

10. The method of claim 9, wherein the confidence 
score comprises one of (1) a first component for considering 
a single mode implementation and (2) the first component and 
a second component for considering a multi -modal 
implementation . 

11. The method of claim 10, wherein the confidence 
score comprises a mixing factor for weighting the first and 
second component in a multi -modal implementation. 

12. A program storage device readable by a machine, 
tangibly embodying a program of instructions executable by 
the machine, to perform method steps for authenticating a 
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user in a conversational system, the method comprising the 
steps of: 

receiving as input an identity claim from a user; 

computing a confidence score based on the identity 
5 claim using speech input from the user, wherein the 

confidence score is a measure of confidence in the validity 
of the identity claim; 

providing the user access to secured data based on the 
computed confidence score. 

10 13. The program storage device of claim 12, further 

comprising instructions for performing the step of 
maintaining the confidence score as part of the system 
state . 

14. The program storage device of claim 12, further 
15 comprising instructions for performing the steps of: 

partitioning the secured data into a plurality of data 
classes ; 

assigning a security level to each of the data classes; 

and 

20 constructing an access map based on the security levels 

for accessing the secured data. 
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15. The program storage device of claim 14, further 
comprising instructions for performing the steps of: 

selecting a range of confidence scores; 
partitioning the range of confidence scores into a 
plurality of regions; and 

assigning each region to one of the security levels. 

16. The program storage device of claim 15, wherein 
the instructions for performing the step of providing the 
user access to secured data based on the computed confidence 
score comprise instructions for performing the steps of: 

determining a given region of the plurality of regions 
which comprises the computed confidence scores- 
determining the security level assigned to the given 
region; and 

accessing secured data using the access map based on 
the security level assigned to the given region. 

17. The program storage device of claim 16, wherein 
the instructions for performing the step of accessing 
secured data using the access map comprise instructions for 
performing the step of allowing access to secured data that 
is assigned to the security level of the given region and 
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secured data assigned to at least one security level that is 
lower than the security level of the given region. 

18. The program storage device of claim 12, further 
comprising instructions for performing the step of re- 
computing the confidence score upon an occurrence of a 
predetermined event . 

19. The program storage device of claim 18, wherein 
the predetermined event is a user query for accessing 
secured data. 

20. The program storage device of claim 12, wherein 
the confidence score is based on a linear function of 
statistical models that characterize the score under a 
plurality of conditions. 

21. The program storage device of claim 20, wherein 
the confidence score comprises one of (1) a first component 
for considering a single mode implementation and (2) the 
first component and a second component for considering 
multi-modal implementation. 
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22. The program storage device of claim 21, wherein 
the confidence score comprises a mixing factor for weighting 
the first and second component in a multi -modal 
implementation . 

23. An incremental access authentication system, 
comprising : 

a database that is partitioned into a plurality of data 
classes, wherein each data class is assigned a range of 
confidence scores based on a security level of the data 
class ; 

a computation module for periodically computing a 
confidence score during a dialog session with at least one 
user seeking access to data in the database, wherein the 
confidence score is a measure of confidence in the validity 
of an original identity claim provided at a commencement of 
the dialog session; and 

a dialog manager for controlling access to data in the 
database based on a last computed confidence score. 

24. The system of claim 23, further comprising an 
access map for mapping each data class with the 
corresponding range of confidence scores, wherein the access 
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map is utilized by the dialog manager to provide access to 
data based on the last computed confidence score. 

25. The system of claim 23, further comprising means 
for maintaining the last computed confidence score as part 
of the system state. 

26. The system of claim 23, wherein the confidence 
score is based on a linear function of statistical models 
that characterize the score under a plurality of conditions ♦ 

27. The system of claim 26, wherein the confidence 
score comprises one of (1) a first component for considering 
a single mode implementation and (2) the first component and 
a second component for considering a multi -modal 
implementation . 

28. The system of claim 27, wherein the confidence 
score comprises a mixing factor for weighting the first and 
second component in a multi -modal implementation. 



YOR9-2 000-0093USI (872 8-357) 



- 34 - 



SYSTEM AND METHOD FOR CONFIDENCE 
BASED INCREMENTAL ACCESS AUTHENTICATION 

ABSTRACT OF THE DISCLOSURE 

A system and method for providing continuous 
confidence-based authentication. The present invention may 
be implemented in an incremental access authentication 
system for controlling access to secured data having various 
levels of security. During the course of a conversational 
session between user and machine, a confidence-based 
authentication system according to the present invention 
will periodically analyze the input speech of a user 
interacting with the system to compute a "confidence 
measure" for the validity of an original identity claim / 
provided by the user at the commencement of' the dialog 
session. The "confidence measure" computation process 
according to the present invention is seamlessly integrated 
into the incremental access authentication system so that 
the system can tailor its interaction with the user based on 
its confidence in the original identity claim. 
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